Adobe Patches Critical Flaw in Flash Player

Adobe released an emergency update to patch a critical security flaw in Flash Player. Attacks are already exploiting the vulnerability in the wild, according to the company. The bug exists in all editions of the Flash Player, but attackers are currently targeting only Internet Explorer users, Adobe said in an advisory.

This site may earn affiliate commissions from the links on this page. Terms of use.

Adobe released an emergency update to patch a critical security flaw in Flash Player. Attacks are already exploiting the vulnerability in the wild, according to the company.

The bug exists in all editions of the Flash Player, but attackers are currently targeting only Internet Explorer users, Adobe said in an advisory released May 4. Adobe flagged the update with a priority rating of "1," which means users should install the patch within 72 hours.

Triggering the "object confusion vulnerability" bug can cause the application "to crash and potentially allow an attacker to take control of the affected system," Adobe said. The company did not provide any information about the exploit itself beyond saying it was part of a "targeted" attack. That would imply a small number of victims as the attackers went after specific individuals or companies.

"There are reports that the vulnerability is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious file delivered in an email message," Adobe said.

Users who opted into the silent background update mechanism will not be prompted to install this 11.2.202.235, as the company will roll out the fix automatically. In March, Adobe shipped Flash Player 11.2, which offered users the option to turn on silent updates so that the software could download and install updates whenever new ones were available.

Security Watch checked two Windows 7 computers on different networks and verified the latest update had been installed on one machine, but not the other. The update mechanism is set up to ping Adobe's servers once a day to see if there are any updates available. It is likely the machine had pinged Adobe's servers before the update was posted to the servers at about 10 AM Pacific, an Adobe spokesperson said. The update would likely be downloaded in 24 hours, according to Adobe. Users who want to install the update manually can download it from the Adobe Website or Google Play for Android versions.

The patch is available for Adobe Flash Player 11.2.202.233 and earlier versions for Windows, Macintosh and Linux, Adobe Flash Player 11.1.115.7 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.8 and earlier versions for Android 3.x and 2.x.

This emergency patch marks the fourth time Flash Player was updated in 2012 so far. If you don't have silent updates turned on for Flash, apply the fix immediately.

Fahmida Y. Rashid is a senior analyst for business at PCMag.com. She focuses on ways businesses can use technology to work efficiently and easily. She is paranoid about security and privacy, and considers security implications when evaluating business technology. She has written for eWEEK, Dark Reading, and SecurityWeek covering security, core Internet infrastructure, and open source.
Follow me on Twitter: zdfyrashid
More »